* Thom May (thom@planetarytramp.net) [010130 01:30]:
> Sure. but at that point, how do we define the subset? Is it just
> the base system? Important packages? Daemons and services only?
> I guess my major concern is that this idea - while highly laudible -
> could easily eat up a major amount of infrastructure and
> developer time.
It is the question of what you get for it. Is the cost worth it?
If we had a more secure distribution it would be good.
And we also must consider what happens if we NOT make the
investment. Scriptkiddies allready target linux machines. Most
exploids are allready developed for linux systems.
THis will get more, I guess.
What we must ultimatly do is not only secure our source but also
educate upstream. If that does not work and upstream keeps
putting out insecure software, we have two choices:
* publish exploits and force upstream to adopt changes
* fork the code.
But this is in the distant future and not our problem now, even
though we should consider the options now.